build(deps): bump github/codeql-action in the actions group (#85)

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

.github/dependabot.yml

@@ -0,0 +1,12 @@
+---
+version: 2
+updates:
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+    groups:
+      actions:
+        patterns:
+          - "*"
+...

.github/workflows/ci.yml

@@ -6,13 +6,17 @@ on:
       - main
   pull_request:
 
+permissions: {}
+
 jobs:
   lint:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
-      - uses: actions/setup-python@v4
+      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
         with:
-          python-version: "3.7"
+          persist-credentials: false
+      - uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6.1.0
+        with:
+          python-version: "3.x"
       - name: lint
         run: make lint

.github/workflows/selftest.yml

@@ -7,11 +7,22 @@ on:
   pull_request:
   workflow_dispatch:
 
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+permissions: {}
+
 jobs:
   selftest-requirements:
-    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        os: [ubuntu-latest, windows-latest]
+    runs-on: ${{ matrix.os }}
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        with:
+          persist-credentials: false
       - uses: ./
         id: pip-audit
         with:
@@ -21,6 +32,7 @@ jobs:
           # explicitly uses a vulnerable requirements file.
           internal-be-careful-allow-failure: true
       - name: assert expected output
+        shell: bash
         env:
           PIP_AUDIT_OUTPUT: "${{ steps.pip-audit.outputs.internal-be-careful-output }}"
         run: |
@@ -29,7 +41,9 @@ jobs:
   selftest-environment:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        with:
+          persist-credentials: false
       - name: make the environment vulnerable
         run: |
           python -m pip install --no-deps --requirement ./test/vulnerable.txt
@@ -51,7 +65,9 @@ jobs:
         local: [true, false]
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        with:
+          persist-credentials: false
       - name: make a virtual environment vulnerable
         run: |
           python -m venv env
@@ -74,7 +90,9 @@ jobs:
   selftest-pyproject:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        with:
+          persist-credentials: false
       - uses: ./
         id: pip-audit
         with:
@@ -88,10 +106,13 @@ jobs:
           PIP_AUDIT_OUTPUT: "${{ steps.pip-audit.outputs.internal-be-careful-output }}"
         run: |
           grep -E 'pyyaml\s+\|\s+5.1' <<< $(base64 -d <<< "${PIP_AUDIT_OUTPUT}")
+
   selftest-pipaudit-fail:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        with:
+          persist-credentials: false
       - uses: ./
         id: pip-audit
         with:
@@ -106,3 +127,43 @@ jobs:
           PIP_AUDIT_OUTPUT: "${{ steps.pip-audit.outputs.internal-be-careful-output }}"
         run: |
           grep 'pip-audit did not return any output' <<< $(base64 -d <<< "${PIP_AUDIT_OUTPUT}")
+
+  selftest-locked:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        with:
+          persist-credentials: false
+      - uses: ./
+        id: pip-audit
+        with:
+          # should attempt to discover test/pylock/pylock.toml
+          inputs: test/pylock/
+          locked: true
+          # NOTE: We intentionally allow failure here, since the self-test
+          # explicitly uses a vulnerable requirements file.
+          internal-be-careful-allow-failure: true
+      - name: assert expected output
+        env:
+          PIP_AUDIT_OUTPUT: "${{ steps.pip-audit.outputs.internal-be-careful-output }}"
+        run: |
+          grep -E 'pyyaml\s+\|\s+5.1' <<< $(base64 -d <<< "${PIP_AUDIT_OUTPUT}")
+
+  all-selftests-pass:
+    if: always()
+
+    needs:
+      - selftest-requirements
+      - selftest-environment
+      - selftest-virtualenv
+      - selftest-pyproject
+      - selftest-pipaudit-fail
+
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: check test jobs
+        if: (github.event_name != 'pull_request') || !github.event.pull_request.head.repo.fork
+        uses: re-actors/alls-green@05ac9388f0aebcb5727afa17fcccfecd6f8ec5fe # v1.2.2
+        with:
+          jobs: ${{ toJSON(needs) }}

.github/workflows/semgrep.yml

@@ -1,3 +1,5 @@
+name: Semgrep
+
 on:
   pull_request: {}
   push:
@@ -8,15 +10,19 @@ on:
     - .github/workflows/semgrep.yml
   schedule:
   - cron: '0 0 * * 0'
-name: Semgrep
+
+permissions: {}
+
 jobs:
   semgrep:
     name: Scan
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-latest
     env:
       SEMGREP_APP_TOKEN: ${{ secrets.SEMGREP_APP_TOKEN }}
     container:
-      image: returntocorp/semgrep
+      image: semgrep/semgrep
     steps:
-    - uses: actions/checkout@v3
+    - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+      with:
+        persist-credentials: false
     - run: semgrep ci

.github/workflows/zizmor.yml

@@ -0,0 +1,38 @@
+name: GitHub Actions Security Analysis with zizmor 🌈
+
+on:
+  push:
+    branches: ["main"]
+  pull_request:
+    branches: ["**"]
+
+permissions: {}
+
+jobs:
+  zizmor:
+    name: zizmor latest via PyPI
+    runs-on: ubuntu-latest
+    permissions:
+      security-events: write
+      # required for workflows in private repositories
+      contents: read
+      actions: read
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        with:
+          persist-credentials: false
+
+      - name: Install the latest version of uv
+        uses: astral-sh/setup-uv@681c641aba71e4a1c380be3ab5e12ad51f415867 # v7.1.6
+
+      - name: Run zizmor 🌈
+        run: uvx zizmor --format sarif . > results.sarif
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Upload SARIF file
+        uses: github/codeql-action/upload-sarif@5d4e8d1aca955e8d8589aabd499c5cae939e33c7 # v4.31.9
+        with:
+          sarif_file: results.sarif
+          category: zizmor

README.md

@@ -29,10 +29,10 @@ jobs:
   selftest:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
       - name: install
         run: python -m pip install .
-      - uses: pypa/gh-action-pip-audit@v1.0.8
+      - uses: pypa/gh-action-pip-audit@v1.1.0
 ```
 
 Or, with a virtual environment:
@@ -42,13 +42,13 @@ jobs:
   selftest:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
       - name: install
         run: |
           python -m venv env/
           source env/bin/activate
           python -m pip install .
-      - uses: pypa/gh-action-pip-audit@v1.0.8
+      - uses: pypa/gh-action-pip-audit@v1.1.0
         with:
           virtual-environment: env/
 ```
@@ -72,7 +72,7 @@ The `inputs` setting controls what sources `pip-audit` runs on.
 To audit one or more requirements-style inputs:
 
 ```yaml
-- uses: pypa/gh-action-pip-audit@v1.0.8
+- uses: pypa/gh-action-pip-audit@v1.1.0
   with:
     inputs: requirements.txt dev-requirements.txt
 ```
@@ -80,7 +80,7 @@ To audit one or more requirements-style inputs:
 To audit a project that uses `pyproject.toml` for its dependencies:
 
 ```yaml
-- uses: pypa/gh-action-pip-audit@v1.0.8
+- uses: pypa/gh-action-pip-audit@v1.1.0
   with:
     # NOTE: this can be `.`, for the current directory
     inputs: path/to/project/
@@ -108,7 +108,7 @@ Example: use the virtual environment specified at `env/`, relative to the
 current directory:
 
 ```yaml
-- uses: pypa/gh-action-pip-audit@v1.0.8
+- uses: pypa/gh-action-pip-audit@v1.1.0
   with:
     virtual-environment: env/
     # Note the absence of `input:`, since we're auditing the environment.
@@ -128,7 +128,7 @@ installed directly into the current environment are included.
 Example:
 
 ```yaml
-- uses: pypa/gh-action-pip-audit@v1.0.8
+- uses: pypa/gh-action-pip-audit@v1.1.0
   with:
     local: true
 ```
@@ -145,7 +145,7 @@ It's directly equivalent to `pip-audit --vulnerability-service=...`.
 To audit with OSV instead of PyPI:
 
 ```yaml
-- uses: pypa/gh-action-pip-audit@v1.0.8
+- uses: pypa/gh-action-pip-audit@v1.1.0
   with:
     vulnerability-service: osv
 ```
@@ -160,7 +160,7 @@ It's directly equivalent to `pip-audit --require-hashes ...`.
 Example:
 
 ```yaml
-- uses: pypa/gh-action-pip-audit@v1.0.8
+- uses: pypa/gh-action-pip-audit@v1.1.0
   with:
     # NOTE: only works with requirements-style inputs
     inputs: requirements.txt
@@ -177,7 +177,7 @@ It's directly equivalent to `pip-audit --no-deps ...`.
 Example:
 
 ```yaml
-- uses: pypa/gh-action-pip-audit@v1.0.8
+- uses: pypa/gh-action-pip-audit@v1.1.0
   with:
     # NOTE: only works with requirements-style inputs
     inputs: requirements.txt
@@ -195,7 +195,7 @@ is rendered at the end of the action.
 Example:
 
 ```yaml
-- uses: pypa/gh-action-pip-audit@v1.0.8
+- uses: pypa/gh-action-pip-audit@v1.1.0
   with:
     summary: false
   ```
@@ -214,7 +214,7 @@ indices to search (such as a corporate index with private packages), see
 Example:
 
 ```yaml
-- uses: pypa/gh-action-pip-audit@v1.0.8
+- uses: pypa/gh-action-pip-audit@v1.1.0
   with:
     index-url: https://example.corporate.local/simple
 ```
@@ -229,7 +229,7 @@ indexes to search when resolving dependencies. Each URL is whitespace-separated.
 Example:
 
 ```yaml
-- uses: pypa/gh-action-pip-audit@v1.0.8
+- uses: pypa/gh-action-pip-audit@v1.1.0
   with:
     extra-index-urls: |
       https://example.corporate.local/simple
@@ -246,13 +246,45 @@ ignore (i.e., exclude from the results) if present. Each ID is whitespace-separa
 Example
 
 ```yaml
-- uses: pypa/gh-action-pip-audit@v1.0.8
+- uses: pypa/gh-action-pip-audit@v1.1.0
   with:
     ignore-vulns: |
       GHSA-XXXX-YYYYYY
       PYSEC-AAAA-BBBBB
 ```
 
+### `disable-pip`
+
+**Default**: `false`
+
+The `disable-pip` setting disable the use of `pip` for dependency resolution. This can only be used with
+hashed requirements files or if the `no-deps` setting has been provided.
+
+Example
+
+```yaml
+- uses: pypa/gh-action-pip-audit@v1.1.0
+  with:
+    inputs: requirements.lock
+    disable-pip: true
+    no-deps: true
+```
+
+### `locked`
+
+**Default**: `false`
+
+The `locked` setting enables audits of lock files (`pylock.*.toml`) from the local Python project.
+
+Example
+
+```yaml
+- uses: pypa/gh-action-pip-audit@v1.1.0
+  with:
+    inputs: path/to/project/
+    locked: true
+```
+
 ### Internal options
 <details>
   <summary>⚠️ Internal options ⚠️</summary>
@@ -276,7 +308,7 @@ Example
   Example:
 
   ```yaml
-  - uses: pypa/gh-action-pip-audit@v1.0.8
+  - uses: pypa/gh-action-pip-audit@v1.1.0
     with:
       internal-be-careful-allow-failure: true
   ```
@@ -290,7 +322,7 @@ to `pip-audit`.
 Example:
 
 ```yaml
-- uses: pypa/gh-action-pip-audit@v1.0.8
+- uses: pypa/gh-action-pip-audit@v1.1.0
   with:
     internal-be-careful-extra-flags: --not-a-real-pip-audit-flag
 ```
@@ -307,7 +339,7 @@ If you're auditing a requirements file, consider setting `no-deps: true` or
 `require-hashes: true`:
 
 ```yaml
-- uses: pypa/gh-action-pip-audit@v1.0.8
+- uses: pypa/gh-action-pip-audit@v1.1.0
   with:
     inputs: requirements.txt
     require-hashes: true
@@ -316,7 +348,7 @@ If you're auditing a requirements file, consider setting `no-deps: true` or
 or:
 
 ```yaml
-- uses: pypa/gh-action-pip-audit@v1.0.8
+- uses: pypa/gh-action-pip-audit@v1.1.0
   with:
     inputs: requirements.txt
     no-deps: true
@@ -337,7 +369,7 @@ by the host system itself, or other Python projects that happen to be installed.
 To minimize external dependencies, you can opt into a virtual environment:
 
 ```yaml
-- uses: pypa/gh-action-pip-audit@v1.0.8
+- uses: pypa/gh-action-pip-audit@v1.1.0
   with:
     # must be populated earlier in the CI
     virtual-environment: env/
@@ -347,7 +379,7 @@ and, more aggressively, specify that only dependencies marked as "local"
 in the virtual environment should be included:
 
 ```yaml
-- uses: pypa/gh-action-pip-audit@v1.0.8
+- uses: pypa/gh-action-pip-audit@v1.1.0
   with:
     # must be populated earlier in the CI
     virtual-environment: env/
@@ -375,7 +407,7 @@ convert your `Pipfile[.lock]` to a `requirements.txt` file and then run
 jobs:
   pip-audit:
     steps:
-      - uses: actions/setup-python@v2
+      - uses: actions/setup-python@v5
         with:
           python-version: 3.9  # change to your required version of Python
 
@@ -383,7 +415,7 @@ jobs:
         run: |
           pipx run pipfile-requirements Pipfile.lock > requirements.txt
 
-      - uses: pypa/gh-action-pip-audit@v1.0.8
+      - uses: pypa/gh-action-pip-audit@v1.1.0
         with:
           inputs: requirements.txt
 ```

action.py

@@ -12,11 +12,15 @@ import sys
 from base64 import b64encode
 from pathlib import Path
 
+sys.stdout.reconfigure(encoding="utf-8")
+
 _HERE = Path(__file__).parent.resolve()
 _TEMPLATES = _HERE / "templates"
 
-_GITHUB_STEP_SUMMARY = Path(os.getenv("GITHUB_STEP_SUMMARY")).open("a")
-_GITHUB_OUTPUT = Path(os.getenv("GITHUB_OUTPUT")).open("a")
+_GITHUB_STEP_SUMMARY = Path(os.getenv("GITHUB_STEP_SUMMARY")).open(
+    "a", encoding="utf-8"
+)
+_GITHUB_OUTPUT = Path(os.getenv("GITHUB_OUTPUT")).open("a", encoding="utf-8")
 _RENDER_SUMMARY = os.getenv("GHA_PIP_AUDIT_SUMMARY", "true") == "true"
 _DEBUG = os.getenv("RUNNER_DEBUG") is not None
 
@@ -78,6 +82,9 @@ if os.getenv("GHA_PIP_AUDIT_REQUIRE_HASHES", "false") != "false":
 if os.getenv("GHA_PIP_AUDIT_LOCAL", "false") != "false":
     pip_audit_args.append("--local")
 
+if os.getenv("GHA_PIP_DISABLE_PIP", "false") != "false":
+    pip_audit_args.append("--disable-pip")
+
 index_url = os.getenv("GHA_PIP_AUDIT_INDEX_URL")
 if index_url != "":
     pip_audit_args.extend(["--index-url", index_url])
@@ -99,6 +106,10 @@ pip_audit_args.extend(
     ]
 )
 
+locked = os.getenv("GHA_PIP_AUDIT_LOCKED", "false") != "false"
+if locked:
+    pip_audit_args.append("--locked")
+
 # If inputs is empty, we let `pip-audit` run in "`pip list` source" mode by not
 # adding any explicit input argument(s).
 # Otherwise, we handle either exactly one project path (a directory)
@@ -116,6 +127,8 @@ for input_ in inputs:
     else:
         if not input_.is_file():
             _fatal_help(f"input {input_} does not look like a file")
+        if locked:
+            _fatal_help("locked only applies to audits of project paths")
         pip_audit_args.extend(["--requirement", input_])
 
 _debug(f"running: pip-audit {[str(a) for a in pip_audit_args]}")

action.yml

@@ -42,6 +42,14 @@ inputs:
     description: "vulnerabilities to explicitly exclude, if present (whitespace separated)"
     required: false
     default: ""
+  disable-pip:
+    description: "disable pip"
+    required: false
+    default: false
+  locked:
+    description: "audit lock files from the local Python project"
+    required: false
+    default: false
   internal-be-careful-allow-failure:
     description: "don't fail the job if the audit fails (default false)"
     required: false
@@ -71,8 +79,9 @@ runs:
         # NOTE: Sourced, not executed as a script.
         source "${{ github.action_path }}/setup/venv.bash"
 
-        ${{ github.action_path }}/action.py "${{ inputs.inputs }}"
+        python "${{ github.action_path }}/action.py" "$GHA_PIP_AUDIT_INPUTS"
       env:
+        GHA_PIP_AUDIT_INPUTS: "${{ inputs.inputs }}"
         GHA_PIP_AUDIT_SUMMARY: "${{ inputs.summary }}"
         GHA_PIP_AUDIT_NO_DEPS: "${{ inputs.no-deps }}"
         GHA_PIP_AUDIT_REQUIRE_HASHES: "${{ inputs.require-hashes }}"
@@ -82,6 +91,8 @@ runs:
         GHA_PIP_AUDIT_INDEX_URL: "${{ inputs.index-url }}"
         GHA_PIP_AUDIT_EXTRA_INDEX_URLS: "${{ inputs.extra-index-urls }}"
         GHA_PIP_AUDIT_IGNORE_VULNS: "${{ inputs.ignore-vulns }}"
+        GHA_PIP_DISABLE_PIP: "${{ inputs.disable-pip }}"
+        GHA_PIP_AUDIT_LOCKED: "${{ inputs.locked }}"
         GHA_PIP_AUDIT_INTERNAL_BE_CAREFUL_ALLOW_FAILURE: "${{ inputs.internal-be-careful-allow-failure }}"
         GHA_PIP_AUDIT_INTERNAL_BE_CAREFUL_EXTRA_FLAGS: "${{ inputs.internal-be-careful-extra-flags }}"
       shell: bash

setup/venv.bash

@@ -17,7 +17,12 @@ fi
 # `python -m pip install ...` invocation might happen to choose.
 if [[ -n "${GHA_PIP_AUDIT_VIRTUAL_ENVIRONMENT}" ]] ; then
   if [[ -d "${GHA_PIP_AUDIT_VIRTUAL_ENVIRONMENT}" ]]; then
-    source "${GHA_PIP_AUDIT_VIRTUAL_ENVIRONMENT}/bin/activate"
+    if [[ "$(uname)" == MSYS_NT* || "$(uname)" == MINGW* ]]; then
+      # execute in windows
+      source "${GHA_PIP_AUDIT_VIRTUAL_ENVIRONMENT}/scripts/activate"
+    else
+      source "${GHA_PIP_AUDIT_VIRTUAL_ENVIRONMENT}/bin/activate"
+    fi
   else
     die "Fatal: virtual environment is not a directory"
   fi

test/pylock/pylock.toml

@@ -0,0 +1,13 @@
+lock-version = "1.0"
+created-by = "pip"
+
+[[packages]]
+name = "pyyaml"
+version = "5.1"
+
+[packages.sdist]
+name = "PyYAML-5.1.tar.gz"
+url = "https://files.pythonhosted.org/packages/9f/2c/9417b5c774792634834e730932745bc09a7d36754ca00acf1ccd1ac2594d/PyYAML-5.1.tar.gz"
+
+[packages.sdist.hashes]
+sha256 = "436bc774ecf7c103814098159fbb84c2715d25980175292c648f2da143909f95"